Jere's Techblog

Linux Change TLS-SNI-01 because TLS-SNI-01 validation is reaching end-of-life

Two days ago I received the mail below.
TLS-SNI-01 will no longer be supported in the future. With this guide I’ll show you how to update the Let’s Encrypt certificate to the new standards. In my concrete example it is a Debian System 9.7 (Stretch) with a Nextcloud (Apache webserver) and certbot.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue
a certificate in the past 60 days. Below is a list of names and IP
addresses validated (max of one per account):

************

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.

You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.

First of all ensure you have certbot version 0.28.0 oder newer installed. Ensure your usig those comnmands with the root/admin user.

 certbot --version || /path/to/certbot-auto --version

If the version is older, use the following link to update Certbot.

https://certbot.eff.org/

Use only the install section of the instructions to update the certbot application. With my Debian example it is the following command:

apt-get install certbot python-certbot-apache -t stretch-backports

Now you have to remove the references to tls-sni-01 in your renewal configuration:

sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

To finish, a dry renewal with certbot must be carried out.

certbot renew --dry-run

Here you can find detailed information about Let’s Encrypt update with Certbot. https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

and with this link you will find general information about the TLS-SNI-01 expiration https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Leave a Reply